← Controls / AC

AC-12 Session Termination

Access Control

Low Moderate High

Description

The information system automatically terminates a remote session after [Assignment: organization-defined time period] of inactivity.

Supplemental Guidance

A remote session is initiated whenever an organizational information system is accessed by a user (or an information system) communicating through an external, non- organization-controlled network (e.g., the Internet).

Enhancements

(1) Automatic session termination applies to local and remote sessions.

MITRE ATT&CK Techniques (6)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Execution 1 Persistence 1 Lateral Movement 4 Collection 1

Compliance Mappings

ISO 27002:2022

5.15

COBIT 2019

DSS05

NIS2 Directive

Art. 21(2)(i)

MAS TRM

9

BSI IT-Grundschutz

ORP.4

ANSSI

Hygiene.12SecNumCloud.10.6

FINMA Circular 2023/1

IV.B.d(59)IV.C(61)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(b)

EU DORA

Art.9(4)(c)

BIO2

5.15

RBI CSF

Annex1.8

FISC Security Guidelines

FISC.T2

HKMA TM-E-1

TME1.8.4

MLPS 2.0

8.1.3.28.1.4.10

SWIFT CSCF

SWIFT.2.6

SAMA CSF

3.1

NCA ECC

2-2

UAE IA

T9

CBB TM

TM-6

Qatar NIA

AC

CBUAE

CR-4

CBE CSF

CTO-1

SA JS2

JS2-7.1

CBN CSF

Part3.2

BoG CISD

CISD-VIII

BoM CTRM

3.3

IOSCO Cyber Resilience

PROT-1

HIPAA Security Rule

§164.312(a)(2)(iii)

ECB CROE

CROE.2.3.1

EBA ICT Guidelines

3.4.2

SEBI CSCRF

PR.AA

BOT Cyber Resilience

Ch2.2

CMMC 2.0

AC

IEEE 1686-2022

5.8

Common Criteria

CC Part 2 — FRU/FTA/FTP

Solvency II

EIOPA-ICT-4.4

Lloyd's Minimum Standards

MS8.3

HITRUST CSF v11

01.c

FDA 21 CFR Part 11

§11.10(d)§11.200(a)(1)(i)

ISO 27799

9.4

ISO 17799 (legacy)

11.3.211.5.5

COBIT 4.1 (legacy)

None.